I am running a DNS server in EC2, and it was pushing about 20mbps yesterday when I checked my billing dashboard and found 1.86 TB of used data this month. That's a big bill for my small project lab. I never noticed performance drops and didn't bother to setup traffic threshholds before, but I have now since this has cost me $200+ in bandwidth charges.
It seems someone used my DNS server as part of an amplification attack, however I am at a loss for how.
Config is below.
// BBB.BBB.BBB.BBB = ns2.mydomain.com ip address
options {
listen-on port 53 { any; };
// listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-transfer { BBB.BBB.BBB.BBB; };
allow-query-cache { BBB.BBB.BBB.BBB; };
allow-query { any; };
allow-recursion { none; };
empty-zones-enable no;
forwarders { 8.8.8.8; 8.8.4.4; };
fetch-glue no;
recursion no;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "mydomain.com" IN {
type master;
file "zones/mydomain.com";
allow-transfer { BBB.BBB.BBB.BBB; localhost; };
};
Given this configuration, I should NOT be answering any queries for zone's I don't host locally right? This server is the SOA for a few domain's, but is not used to look anything up by my other servers (everyone resolves against OpenDNS or Google). What directive do I have wrong here, or am I forgetting? My logs (63MB+) are full of this:
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 58.215.173.155#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 218.93.206.228#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 50.19.220.154#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
client 123.207.161.124#4444: query (cache) 'cpsc.gov/ANY/IN' denied
Best Answer
Even if your server is set to only answer authoritative queries as yours is, it's still possible for it to be used for an amplification attack -
ANYqueries against the root of a zone can trigger a fairly heavy UDP response, since the zone root tends to have a number of records, particularly with SPF/DKIM/DNSSEC.This is likely what's happening on your system - use
tcpdumpto confirm. If they are using your authoritative records in an amplification attack, your best options are going to be to simply move to a new IP and hope they don't follow, change your zone root records to make it a less effective amplification vector, or implement response rate limiting (if your BIND supports it).